The question of restricting access to one or another Office 365 resource is one that often pops up. By default, being a public cloud SaaS offering, Office 365 is available from any location, at any time. Still, many organizations have the need to restrict access to content they have put in the service, say in a SharePoint Online team site.
Up until recently, restricting access based on the network location was only possible if you had AD FS in place, effectively redirecting the authentication process to your on-prem organization where you can impose the needed restrictions. Few months back, another option become available, namely using conditional access (MFA and Device based rules) for ExO, SPO and some other O365 apps.
Now, few weeks after first showcasing this functionality at Ignite, the ability to restrict access to SPO to a range of predefined IPs/subnets has become available. For example, to restrict access to only requests coming from the company network, one can use:
Set-SPOTenant -IPAddressEnforcement $true -IPAddressAllowList 111.1.1.0/20
Once the restrictions are in place, the any users hitting SPO resources outside of the designated range(s) will get an error message (not very descriptive one). Currently, setting the restrictions is only possible via the SharePoint Online PowerShell module, but we should be getting the relevant controls in the SPO Admin center soon. For more details about the feature, watch the video above, you will also learn about the other controls coming soon 🙂
I would like to know if it’s gonna work if I set a Public IP Addresss to restrict users to access SharePoint Online only from the network thats uses specified public IP adresses. All videos I watched only instructs to set internal IP address which doesn’t make sense to me.
Only Public IPs are relevant here, there’s no way for SharePoint Online to know your internal IP anyway.
How would this affect externally shared content from a sharepoint site? Would this stop external/vendor users that have access to my sites from being able to view the sites or would this just affect internal users that are part of my tenant?